UK OperationalOperational Resilience

UK Operational Resilience directly references, and draws upon principles and concepts outlined in several key regulatory documents and standards. Here are some of the most important ones:

Supervisory Statements by UK Regulators:

• PRA Supervisory Statement SS2/21: Operational Resilience: Details PRA expectations for regulated entities regarding the method for setting impact tolerances, scenario testing, and governance.
• FCA & PRA Policy Statement PS21/3: Building Operational Resilience: Offers a comprehensive overview and more guidance, incorporating international norms.
•  

Bank of England (BoE) Papers & Frameworks:

• The Bank of England’s operational resilience framework (2018): Establishes the foundation with the introduction of important business services, impact tolerances, and scenario testing.
• BoE Discussion Paper on Outsourcing and third-party risk management (2018): Stresses the management of risks from third party dependencies, which UK Op Res prominently addresses.

International Standards & Best Practices:

• Basel Committee on Banking Supervision (BCBS) Principles for Operational Resilience (2021): Delivers worldwide directives for operational resilience structures that have impacted UK regulatory approaches.
• The Financial Stability Board’s guidance on cyber resilience (2020): Is in tune with the UK model, underlining cybersecurity as a key part of operational resilience.

Other Relevant References

• UK Government National Cyber Security Strategy: Deals with the general scope of cybersecurity threats, which underpins operational resilience rules for financial institutions.
• Relevant industry standards (e.g., ISO 27001, NIST Cybersecurity Framework) could be drawn upon by firms in the creation of their operational resilience plans and in illustrating fulfillment.

Key Requirements of UK Operational Resilience:

• Identifying Important Business Services: Financial institutions must define those services essential to their operations and the broader UK economic scheme.
• Setting Impact Tolerances: Specifying the highest level of disruption that can be tolerated for each principal business service in terms of downtime or degraded performance.
• Scenario Testing: Running thorough high-stress trials to simulate multiple presumable variables of disruption in order to ascertain ability to remain within impact tolerances.
• Mapping and Risk Management: Pinpointing potential weaknesses and dependencies, such as third party engagement, and devising solutions for risk reduction.
• Responsibility at Board Level: Responsibility for compliance and the embedding of the culture of operational resilience within the company rests with the board of directors.

Similarities and Differences with DORA:

Both DORA and UK Op Res frameworks place strong emphasis on operational resilience and proactive ICT risk management.
UK Op Res was introduced slightly earlier, with its first deadline passing in March 2022, while major DORA obligations will take effect from 2025.
There is significant overlap in the areas they cover, and both strive to harmonize operational resilience standards.